CVE-2021-1143
13.01.2021, 22:15
A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system.Enginsight
Vendor | Product | Version |
---|---|---|
cisco | connected_mobile_experiences | 10.6.0 |
cisco | connected_mobile_experiences | 10.6.1 |
cisco | connected_mobile_experiences | 10.6.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.